fix: address code review findings from EC_KEY migration

- Replace CryptoKeyInternal duck type with CryptoKey import in hkdf.ts,
  removing the any escape hatch (#2)
- Use EVP_PKEY_bits() instead of allocating EC_GROUP just for field_size
  in exportJwk; hardcode field sizes for known curves in initJwk (#3)
- Move createEcEvpPkey from inline header to QuickCryptoUtils.cpp to
  avoid code duplication across translation units (#4)
- Remove unnecessary 'as any' casts in JWK round-trip tests since
  KeyInputObject already accepts JWK (#6)

Author: boorad

example/src/tests/keys/create_keys.ts

@@ -431,8 +431,7 @@ for (const { namedCurve, crv, hash } of EC_CURVES) {
       expect(jwk.y).to.match(/^[A-Za-z0-9_-]+$/);
       expect(jwk.d).to.match(/^[A-Za-z0-9_-]+$/);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const reimported = createPrivateKey({ key: jwk as any, format: 'jwk' });
+      const reimported = createPrivateKey({ key: jwk, format: 'jwk' });
       expect(reimported.type).to.equal('private');
       expect(reimported.asymmetricKeyType).to.equal('ec');
 
@@ -478,8 +477,7 @@ for (const { namedCurve, crv, hash } of EC_CURVES) {
       expect(jwk.y).to.match(/^[A-Za-z0-9_-]+$/);
       expect(jwk.d).to.equal(undefined);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const reimported = createPublicKey({ key: jwk as any, format: 'jwk' });
+      const reimported = createPublicKey({ key: jwk, format: 'jwk' });
       expect(reimported.type).to.equal('public');
       expect(reimported.asymmetricKeyType).to.equal('ec');
     },

packages/react-native-quick-crypto/android/CMakeLists.txt

@@ -58,6 +58,7 @@ add_library(
   ../cpp/sign/HybridSignHandle.cpp
   ../cpp/sign/HybridVerifyHandle.cpp
   ../cpp/utils/HybridUtils.cpp
+  ../cpp/utils/QuickCryptoUtils.cpp
   ${BLAKE3_SOURCES}
   ../deps/fastpbkdf2/fastpbkdf2.c
   ../deps/ncrypto/src/aead.cpp

packages/react-native-quick-crypto/cpp/keys/HybridKeyObjectHandle.cpp

@@ -258,14 +258,10 @@ JWK HybridKeyObjectHandle::exportJwk(const JWK& key, bool handleRsaPss) {
 
     std::string curve_name(curve_name_buf, name_len);
 
-    int nid = OBJ_txt2nid(curve_name.c_str());
-    EC_GROUP* group = EC_GROUP_new_by_curve_name(nid);
-    if (!group)
-      throw std::runtime_error("Unknown curve");
-
-    // Get the field size in bytes for proper padding
-    size_t field_size = (EC_GROUP_get_degree(group) + 7) / 8;
-    EC_GROUP_free(group);
+    int bits = EVP_PKEY_bits(pkey.get());
+    if (bits <= 0)
+      throw std::runtime_error("Failed to get EC key size");
+    size_t field_size = (static_cast<size_t>(bits) + 7) / 8;
 
     result.kty = JWKkty::EC;
 
@@ -567,26 +563,22 @@ std::optional<KeyType> HybridKeyObjectHandle::initJwk(const JWK& keyData, std::o
 
     std::string crv = keyData.crv.value();
 
-    // Map JWK curve names to OpenSSL group names
+    // Map JWK curve names to OpenSSL group names and field sizes
     const char* group_name;
+    size_t field_size;
     if (crv == "P-256") {
       group_name = "prime256v1";
+      field_size = 32;
     } else if (crv == "P-384") {
       group_name = "secp384r1";
+      field_size = 48;
     } else if (crv == "P-521") {
       group_name = "secp521r1";
+      field_size = 66;
     } else {
       throw std::runtime_error("Unsupported EC curve: " + crv);
     }
 
-    // Get field size from curve to properly pad coordinates
-    int nid = OBJ_txt2nid(group_name);
-    EC_GROUP* group = EC_GROUP_new_by_curve_name(nid);
-    if (!group)
-      throw std::runtime_error("Failed to create EC group");
-    size_t field_size = (EC_GROUP_get_degree(group) + 7) / 8;
-    EC_GROUP_free(group);
-
     // Decode public key coordinates
     BIGNUM* x_bn = base64url_to_bn(keyData.x.value());
     BIGNUM* y_bn = base64url_to_bn(keyData.y.value());

packages/react-native-quick-crypto/cpp/utils/QuickCryptoUtils.cpp

@@ -0,0 +1,44 @@
+#include "QuickCryptoUtils.hpp"
+#include <openssl/bn.h>
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+#include <openssl/param_build.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+EVP_PKEY* createEcEvpPkey(const char* group_name, const uint8_t* pub_oct, size_t pub_len, const BIGNUM* priv_bn) {
+  OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new();
+  if (!bld)
+    throw std::runtime_error("Failed to create OSSL_PARAM_BLD");
+
+  OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0);
+  OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_oct, pub_len);
+  if (priv_bn)
+    OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_bn);
+
+  OSSL_PARAM* params = OSSL_PARAM_BLD_to_param(bld);
+  OSSL_PARAM_BLD_free(bld);
+  if (!params)
+    throw std::runtime_error("Failed to build EC parameters");
+
+  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr);
+  if (!ctx) {
+    OSSL_PARAM_free(params);
+    throw std::runtime_error("Failed to create EVP_PKEY_CTX for EC");
+  }
+
+  int selection = priv_bn ? EVP_PKEY_KEYPAIR : EVP_PKEY_PUBLIC_KEY;
+  EVP_PKEY* pkey = nullptr;
+  if (EVP_PKEY_fromdata_init(ctx) <= 0 || EVP_PKEY_fromdata(ctx, &pkey, selection, params) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    OSSL_PARAM_free(params);
+    throw std::runtime_error("Failed to create EVP_PKEY from EC parameters");
+  }
+
+  EVP_PKEY_CTX_free(ctx);
+  OSSL_PARAM_free(params);
+  return pkey;
+}
+
+} // namespace margelo::nitro::crypto

packages/react-native-quick-crypto/cpp/utils/QuickCryptoUtils.hpp

@@ -4,10 +4,8 @@
 #include <cctype>
 #include <limits>
 #include <openssl/bn.h>
-#include <openssl/core_names.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/param_build.h>
 #include <string>
 #include <vector>
 
@@ -111,38 +109,6 @@ inline const EVP_MD* getDigestByName(const std::string& algorithm) {
 // Build an EVP_PKEY from EC curve name + public key octets + optional private key BIGNUM.
 // Uses OSSL_PARAM_BLD + EVP_PKEY_fromdata (OpenSSL 3.x, no deprecated EC_KEY APIs).
 // Caller owns the returned EVP_PKEY*.
-inline EVP_PKEY* createEcEvpPkey(const char* group_name, const uint8_t* pub_oct, size_t pub_len, const BIGNUM* priv_bn = nullptr) {
-  OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new();
-  if (!bld)
-    throw std::runtime_error("Failed to create OSSL_PARAM_BLD");
-
-  OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0);
-  OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_oct, pub_len);
-  if (priv_bn)
-    OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_bn);
-
-  OSSL_PARAM* params = OSSL_PARAM_BLD_to_param(bld);
-  OSSL_PARAM_BLD_free(bld);
-  if (!params)
-    throw std::runtime_error("Failed to build EC parameters");
-
-  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr);
-  if (!ctx) {
-    OSSL_PARAM_free(params);
-    throw std::runtime_error("Failed to create EVP_PKEY_CTX for EC");
-  }
-
-  int selection = priv_bn ? EVP_PKEY_KEYPAIR : EVP_PKEY_PUBLIC_KEY;
-  EVP_PKEY* pkey = nullptr;
-  if (EVP_PKEY_fromdata_init(ctx) <= 0 || EVP_PKEY_fromdata(ctx, &pkey, selection, params) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
-    OSSL_PARAM_free(params);
-    throw std::runtime_error("Failed to create EVP_PKEY from EC parameters");
-  }
-
-  EVP_PKEY_CTX_free(ctx);
-  OSSL_PARAM_free(params);
-  return pkey;
-}
+EVP_PKEY* createEcEvpPkey(const char* group_name, const uint8_t* pub_oct, size_t pub_len, const BIGNUM* priv_bn = nullptr);
 
 } // namespace margelo::nitro::crypto

packages/react-native-quick-crypto/src/hkdf.ts

@@ -3,6 +3,7 @@ import { NitroModules } from 'react-native-nitro-modules';
 import type { Hkdf as HkdfNative } from './specs/hkdf.nitro';
 import { binaryLikeToArrayBuffer, normalizeHashName } from './utils';
 import type { BinaryLike } from './utils';
+import type { CryptoKey } from './keys';
 
 type KeyMaterial = BinaryLike;
 type Salt = BinaryLike;
@@ -15,13 +16,6 @@ export interface HkdfAlgorithm {
   info: BinaryLike;
 }
 
-export interface CryptoKeyInternal {
-  keyObject: {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    export: (...args: any[]) => any;
-  };
-}
-
 export interface HkdfCallback {
   (err: Error | null, derivedKey?: Buffer): void;
 }
@@ -123,7 +117,7 @@ export function hkdfSync(
 
 export function hkdfDeriveBits(
   algorithm: HkdfAlgorithm,
-  baseKey: CryptoKeyInternal,
+  baseKey: CryptoKey,
   length: number,
 ): ArrayBuffer {
   const hash = algorithm.hash;